Security

[Previous] [Next]

Proxy Server supports a number of features to improve your network's security and to let you to manage which users are allowed to connect to which sites. You can filter packets at the external interface, preventing inappropriate packet traffic from entering or leaving your network, and you can control access to the various proxy services by user and group access control lists. This filtering can be particularly helpful in a large network where certain users or areas shouldn't be permitted access outside the internal network, or even outside a particular segment of the network. A good example is a training room where you want users to be able to see only the servers and services that they should see.

A detailed discussion of Proxy Server security is beyond the scope of this chapter, but we can at least delineate where and what the options are. They include

  • Packet filtering
  • Access control
  • Domain filters
  • Alerting
  • Logging

Packet Filtering

Proxy Server comes with a set of predefined packet filters that you can enable. In addition, you can create your own packet filters that minutely control which kinds of packets you will allow into your network. To enable and configure packet filtering, follow these steps:

  1. Open the Internet Information Services MMC snap-in and right-click Web Proxy. Choose Properties from the shortcut menu to open the Web Proxy Service Properties window for that server, as shown earlier in Figure 30-11.
  2. Click the Security button to open the Security dialog box shown in Figure 30-25.
  3. click to view at full size.

    Figure 30-25. The Packet Filters tab of the Security dialog box.

  4. Select Enable Packet Filtering On External Interface.
  5. The predefined packet filters are shown. You can add additional custom packet filters by clicking the Add button to open the Packet Filter Properties window shown in Figure 30-26.
  6. click to view at full size.

    Figure 30-26. The Packet Filters Properties window.

    The options for custom filters are as follows:

    • Protocol ID TCP, UDP, or ICMP.
    • Direction Incoming, outgoing, or both.
    • Local Port Any port, a fixed port, or dynamic ports.
    • Remote Port Any port or a fixed port.
    • Local Host The computer that exchanges packets with the remote host, usually the proxy server itself.
    • Specific Proxy IP A specific external interface of the proxy server can exchange packets for this custom filter.
    • Internal Computer A specific computer normally hidden behind the proxy server can exchange this type of packet with the remote host.
    • Remote Host The remote host that can exchange this type of packet with the local host. Can be a specific host or any host.

  7. Once you've configured any custom packet filters and made any other changes to existing filters, click OK to accept the changes and return to the main Web Proxy Service Properties window.
  8. Make your configuration selections and click OK to accept the changes and close the window, or click Apply to apply the changes and leave the window open for further configuration changes.

Enabling Access Control

You can enable access control permissions on the various protocols, permitting or disallowing use of the protocols by user or by group. This option can be useful for controlling access from areas of the network or particular groups of users that have no business reason to be accessing the Internet.

Configuring access control is the same for each of the services, so we'll describe how to enable and configure only the Web Proxy services. To enable access control for Web Proxy, follow these steps:

  1. Open the Internet Information Services MMC snap-in and right-click Web Proxy. Choose Properties from the shortcut menu to open the Web Proxy Service Properties window for that server, shown earlier in Figure 30-11.
  2. Click the Permissions tab, as shown in Figure 30-27.
  3. click to view at full size.

    Figure 30-27. The Permissions tab of the Web Proxy Service Properties window.

  4. Select the Enable Access Control check box.
  5. Select the protocol to configure from the Protocol drop-down list. For Web Proxy, you can grant access to FTP (read only), Web (HTTP), Secure (HTTPS), and Gopher protocols individually.
  6. To add particular users or groups that you will grant access to the protocol, click the Edit button and select the group or user name.
  7. Once you've added all the users and groups to each protocol, click Apply to apply the changes to Web Proxy and continue configuring other settings, or click OK to apply the changes and close the window.

CAUTION
We strongly advise that you control access to the various proxy protocols using groups. Controlling at the individual user level will make it difficult to manage and troubleshoot problems that arise.

Enabling Domain Filters

You can manage Internet access to particular domains or IP addresses for all users. This allows you to provide strictly limited access to key sites, for example, or to exclude certain sites from your users. However, managing this for a large number of sites could be a major management problem, especially since objectionable sites seem to move far more frequently than desirable sites. Third-party addons exist for Proxy Server that better handle this problem and are updated on a regular basis. To enable domain filters, follow these steps:

  1. Open the Internet Information Services MMC snap-in and right-click Web Proxy. Choose Properties from the shortcut menu to open the Web Proxy Service Properties window for that server, shown earlier in Figure 30-11.
  2. Click the Security button. Choose the Domain Filters tab, as shown in Figure 30-28.
  3. click to view at full size.

    Figure 30-28. The Domain Filters tab of the Security dialog box.

  4. Select the Enable Filtering check box.
  5. To list domains that are denied access, thus preventing access to all other domains, select the Granted option.
  6. To deny access to all domains except those explicitly allowed, select the Denied option.
  7. To add a domain to the list of excluded or granted domains, click the Add button to open the Deny Access To dialog box (or the Grant Access To dialog box if you're listing domains that users are explicitly allowed access to). You can specify the access by single computer, by group of computers, or by domain name.
  8. When you've made your selections, click OK to return to the Domain Filters tab.
  9. To add more selections, click Add again. To remove a selection, highlight it and click Remove. To change a previously created selection, click Edit.
  10. When you've finished editing the domain filters, click OK to return to the main Web Proxy Service Properties window. Click Accept to accept the settings and continue configuring, or click OK to implement the changes and close the window.

NOTE
Only proxy servers that are directly connected to the Internet can perform domain filtering. Proxy servers that are downstream of another proxy server must leave the domain filtering to the upstream proxy server.

Alerting

When packet filtering is enabled, you can set alerts that warn you of suspicious behavior on the external interface. You can be alerted when packets are rejected, protocol violations occur, or the disk becomes full. And you can have the alert simply added to the event log, or have an SMTP e-mail sent. To configure alerting for Web Proxy, follow these steps:

  1. Open the Internet Information Services MMC snap-in and right-click Web Proxy. Choose Properties from the shortcut menu to open the Web Proxy Service Properties window for that server.
  2. Click the Security button. Choose the Alerting tab, as shown in Figure 30-29.
  3. click to view at full size.

    Figure 30-29. The Alerting tab of the Security dialog box.

  4. Configure the settings for alerts. The settings are set separately for each type of event, allowing you to tune for the area of greatest concern. The settings are as follows:
    • Event Rejected packets, protocol errors, or disk full.
    • Generate System Event If More Than Allows you to set the threshold of suspicious events that will trigger the alarm.
    • Send SMTP Mail Allows you to send mail, including mail to a pager, in the event of an alert.
    • Report To Windows NT Event Log Creates an entry in the event log.
    • Delay Before Next Report The number of minutes before this type of event will trigger an additional alert.

  5. To configure the mail settings, click Configure Mail. The Configure Mail Alerting dialog box appears, as shown in Figure 30-30.
  6. click to view at full size.

    Figure 30-30. You can configure alerting to send you SMTP mail.

  7. In the Mail Server text box, fill in the SMTP server, the port used, the user or mailbox to send the alert to, and the sending user. You can send a test message by clicking the Test button.
  8. When the SMTP alert mail is working correctly, click OK to return to the mail Alerting tab in the Security dialog box.
  9. When you've finished editing the alerts, click OK to return to the main Web Proxy Service Properties window. Click Accept to accept the settings and continue configuring, or click OK to implement the changes and close the window.

Logging

By default, Proxy Server logs a variety of information about security events. You can configure the logging to use standard files or to go to a database for more detailed analysis, as well as configuring the level of detail stored. To configure logging for the security events, follow these steps:

  1. Open the Internet Information Services MMC snap-in and right-click WinSock Proxy. Choose Properties from the shortcut menu to open the WinSock Proxy Service Properties window for that server.
  2. Click the Security button. Choose the Logging tab.
  3. Select your configurations and click OK to accept the changes and close the window, or click Apply to simply apply the changes and leave the window open for further configuration changes.

The available settings are as follows:

  • Enable Logging Using Regular or verbose format. Controls how much detail is logged.
  • Log To File Change the settings for file logging. Options include:
    • Automatically Open A New File Daily, weekly, or monthly.
    • Limit The Number Of Old Files To Set the number of log files to save.
    • Stop Service If Disk Is Full Stop the proxy service if the disk becomes full and you can't continue logging.
    • Log File Directory Location of log files.

  • Log To SQL/ODBC Database Allows connection to any SQL or ODBC data source. Options are:
    • ODBC Data Source Name (DSN) The ODBC connection name.
    • Table The table in the data source to store the log information.
    • User name The user name used to connect to the data source.
    • Password The password to use to connect to the data source.


Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net